multiple partitions - useful mount options for extra security

Rudolf Floers r.floers at web.de
Sun Jan 14 03:52:15 PST 2001


i did a some research on the stuff, ...
a binary which is on a partition mounted noexec, can esiliy be executed,

	[user at host]# /lib/ld-linux.so.2 /mnt/noexec-partition/binary

either not many people know about or .. wth haven't you told me .. ;)
even if we would use statically linked binaries only, i'm not sure we 
simply could delete ld-linux.so.

sorry,
rudolf




On Mon, Dec 18, 2000 at 02:10:29PM -0500, J.A. Neitzel wrote:

> > > well think it's a good idea to mount var, tmp and maybe home
> > > rw,noexec and nodev. everything else could be mounted ro, but unless
> > > you use devfs you will run into problems with /dev mounted readonly.
> >
> > i think it's not a good idea to use such a setup on development
> > machines, but ona mail,pop3,firewall,ftp,.. server it does improve
> > security. you don't want to change files in /usr so often on such
> > machines.
> 
> Indeed, I do agree with you!
> 
> If only I could get a second, or third, machine... then I could *really* 
> cook with all these ideas! Hmmm, *_dreaming_* ;-))
> 
> > i also like the idea to put certain, security-concerning binaries on a
> > maintenance cd. you could put the mount/umount command on that cd, too.
> > and then use a special mount/umount binary on your servers harddisk.
> > this special mount command should only be able to mount the cd drive -
> > nothing else. if you also removed all other chances to remount your
> > partitions off your system (perl, for instance), even a root couldn't
> > modify/delete your read-only data and couldn't upload _and_ execute his
> > own stuff. (unless the maintenance cd is in the drive..., of course)





More information about the lfs-security mailing list